The invention relates to the field of personal identification, and in particular to the protection against skimming of identity documents provided with a machine readable electronic chip.
To improve the capacity of a controlling authority (like a law-enforcement or national security agency) to detect fake identity documents, a wide range of identity documents (such as passports, identity cards, driving licenses, resident cards or the like), are provided with a machine readable electronic chip. Such identity documents are intended to reduce fraud, ease identity checks and enhance security.
Moreover, according to given security check proposals, there are risks of data leakage that could lead to identity theft by passport skimming or risks of offending the bearer's privacy. Skimming basically consists in fraudulently reading the user data in the chip to replicate such data in the chip of another identity document (either on a completely fake passport or on a legally issued passport).
According to the designs, the chips can be accessed either through a contact interface or through a RFID interface. As its use is far more convenient, the RFID interface tends to generalize. Various risks shall be avoided with RFID interfaces. A first risk is to have a hidden fraudulent chip reader approach the identity document and capture its data.
For preventing such risks, ICAO recommends that e-Passports be designed with Basic Access Control (BAC) features and enhanced with a Password-based mechanism according TR-SAC (Supplemental Access Control). BAC recites two protections. A first protection is that the front and back cover of the e-passport be lined with aluminum to shield the chip. This means that the passport booklet must be opened in order to communicate with the RFID interface of the chip. The second protection is the implementation of a read key consisting of a Machine Readable Zone (MRZ) on the e-passport. The MRZ is commonly a string of alphanumeric characters. The Machine Readable Zone must be scanned and its fields that are protected by check-digits are used to derive Basic Access Keys serving for confidentiality and integrity of the exchanges with the chip. Thus, a fraudulent user is thereby prevented to access the chip as long as the MRZ remains hidden.
To carry out such transactions, the cryptographic configuration (defining the cryptographic security levels supported by the chip) are stored in a memory of the chip (files EF.CardAccess and EF.DG14). The security levels are declared by the chip to the checking terminal, the terminal selects an appropriate security level available and the transaction is then carried out. One possible fraud (particularly affecting the EF.CardAccess file) would be to modify the supported security levels declared in the chip to force the use of a degraded security level during the transaction. The fraudulent user could then more easily interfere during the transaction.
Many organizations are involved in the definition of the specifications of both the controlling process and the identity support security features. In the case of the e-passports, ICAO, ISO and various national agencies are notably involved. This leads to a tedious negotiation process, necessary to guarantee that different organizations throughout the world will select identical security specifications before further improvements are validated. This is particularly complicated for electronic passports that have to be controlled in a wide range of countries throughout the world, which involves setting identical specifications in the various countries. In practice, no satisfying solution to the above security issue was found, that would be both accepted by these authorities and comply with the specifications already in force.